Nagios Support Forum

We are getting flagged by our security team for 3 new CVEs added by CISA targeting Nagios XI

https://www.cisa.gov/uscert/ncas/curren ... es-catalog

CVE-2021-25296 Nagios XI OS Command Injection Vulnerability
CVE-2021-25297 Nagios XI OS Command Injection Vulnerability
CVE-2021-25298 Nagios XI OS Command Injection Vulnerability

I know these normally get fixed by the minor version releases, but since there is no set schedule I know of for those releases I wanted to ask a few questions I can take back to my risk management.

1. Is Nagios aware of these CVEs to correct them in the next update?
2. Will that update be out by the February 1st CISA action due date?

1. Yes, please see here next to each for the remediation:

https://www.nagios.com/products/security/

What XI version is your system running? You can find it on the bottom left hand side after logging in.

What OS version is the XI server running?
2. They should be fixed if you upgrade to the latest version of XI and upgrade the wizards/components to the latest in Admin > Manage Components and Admin > Manage Wizards. I'll know more based on your responses above.

Nagios 5.8.7 and RHEL 8.4. And that's perfect I had no idea that page or in fact the wizard update are existed. Looking at versions it looks like we're already covered. Thank you!

You should not be vulnerable based on that.

Let us know when we're okay to close this ticket.

Thank you!

You're good to lock this thread. Thank you!